Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon,  6 Jun 2016 20:48:34 -0400 (EDT)
From: cve-assign@...re.org
To: 271193918@...com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: 3 bugs refer to buffer overflow in in libtiff 4.0.6

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> #####################################
> 1) stack buffer overflow in thumbnail 
> #####################################
> 
> 
> Memory corruption bugs can be triggered when thumbnail function _TIFFVGetField handling maliciously crafted tiff file, 
> it will cause the target application to crash.
> 
> AddressSanitizer: stack-buffer-overflow ...
> WRITE of size 4

Use CVE-2016-5318.


> ####################################
> 2) heap buffer overflow in bmp2tiff
> ####################################
> 
> 
> Memory corruption bugs can be triggered when bmp2tiff handling maliciously crafted bmp file, it will cause the target 
> application to crash.
> 
> bmp2tiff.c:line 752 deals with comprbuf and does not check the length of Image width.
> 
> AddressSanitizer: heap-buffer-overflow ...
> READ of size 1 ...
>     #0 0x403b66 in main /root/Desktop/AFL/tiff-4.0.6-Asan/tools/bmp2tiff.c:745

We do not feel that a CVE ID is required for this issue. This is a
crash issue in the bmp2tiff command-line program, not an issue within
the libtiff library. Accordingly, it only affects use of the bmp2tiff
program, not other programs that a user may build with the library. If
the user accesses a crafted BMP file and observes a crash in
bmp2tiff, with the reported "READ" outside the bounds of a buffer,
then a complete solution may be for the user to avoid accessing that
specific BMP file again. As far as we can tell, this "READ of size 1"
does not affect the flow of control and is not exploitable for code
execution.


> ####################################
> 3) heap buffer overflow in bmp2tiff
> ####################################
> 
> Memory corruption bugs can be triggered when bmp2tiff handling maliciously crafted bmp file, it will cause the target 
> application to crash.
> 
> PackBitsEncode.c:line 85 does not check the length of bp passed through buf.

(the filename is actually tif_packbits.c not PackBitsEncode.c)

> AddressSanitizer: heap-buffer-overflow ...
> READ of size 1 ...
>     #0 0x48709f in PackBitsEncode /root/Desktop/AFL/tiff-4.0.6/libtiff/tif_packbits.c:85
>     #1 0x458563 in TIFFWriteScanline /root/Desktop/AFL/tiff-4.0.6/libtiff/tif_write.c:173
>     #2 0x403f83 in main /root/Desktop/AFL/tiff-4.0.6/tools/bmp2tiff.c:775

Use CVE-2016-5319 for this PackBitsEncode issue.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXVg3mAAoJEHb/MwWLVhi22NIQALAzwueERmQaSsyOZkCiy7y3
2V7gEeiDH+nH8g6Qnf9iqHYY+uU6aRRG3RnhzLitDRj9N32UD4+UhnVC9J0kSL9+
Q/H0Q3H0erBQl0S/l6z7CVzpmHdDqGmE5Al7PVltTigCY5wpQCnnS/R9kmXJwStf
ZlYyqDNSrFHwtpv8Dmhf0mpdh7yQYWw77Xf/F7iZ9/VLlIPggwjqc4kUdiX7mrvX
QQUobtPzNZ/ATear95CpZxa8D5lFVi8RkSiTP8BW74Me3xLao16fezKSjR/hR+0L
ZNYBo6uHQmQsHMDur26ENGoonmiVKXMKtDnAtCLtJoOtG0d/b0QxdoEfUnele/xL
clcBqRmJYdI33cE7eA7nISzcuRJ5Jo2soSB4JvrqTZPiFoH8LGnQRtWGPUyxYWT+
Q86XvYFKdBE+Wv1s5dRKFVboXgfsTH8UUqbnzcPvKcBcFvdOyNIUIt3RVyncb6TE
6f7/Ffr18nksdd6oG9bB7Ke095Rhe+t0zXhRbT/2MpCUV93OCfxkFsZczCdR6EQQ
xWYHoaQLxbFICcX0Cq+UtstR7GZG8Ue1nOLbbkTC9/LBt10seXHAFxeI/s4kj4yH
7va4b2kv4borlBr5w1D9iLD+cbzrLvpOEKSIHzk40dWbJc71dbCRd+CGVCxq2UYU
WbQOieCXn2W3mw6MktxM
=OWHh
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.